On September 6th, 2022, iThemes released a security advisory on their BackupBuddy plugin. As a global network, we're able to actively monitor attacks in the wild as they hit our network.
This article shares what we're seeing.
The iThemes article doesn't go into detail about the vulnerability, but describes the vulnerability as this:
This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd.
This is what we call a Local File Inclusion Vulnerability (LFI). As implied by the name, LFI vulnerabilities expose, or run, files residing on the same web server. In this instance, it appears to be a pretty serious issue if they can expose files like /etc/passwd a file that hosts user information for the server or even wp-config.php a file that houses sensitive information for WordPress like database information (including passwords). This is also the type of vulnerability to expose other information like .env files, API credentials, similar to what we reported on with our AWS Credential Harvesting article.
This vulnerability only impacts sites running BackupBuddy versions 18.104.22.168 through 22.214.171.124.
They provide guidance to look for: local-destination-id, /etc/passwd, or wp-config but I would caution against the latter tool. The passwd is one of the most sought-after files on the web server and there are a lot of LFI vulnerabilities that are being actively scanned for daily.
Here is a better example of what to look for:
perezbox.com cdn-edge-canada-montreal1 126.96.36.199 200 783 - waf:js_challenge 08/Sep/2022:23:29:09 +0000 "GET /wp-admin/admin-ajax.php?local-download=wp-config.php&local-destination-id=0 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36"
The interesting attack payload is here:
You might also see attacks targeting admin-post.php with the same attack structure.
Analyzing our logs, we're able to confirm attacks starting sometime around August 27th:
At its peak yesterday we were recording 4k attempts against various sites on our network. They ramped up on the 7th / 8th as to be expected with the release of the security notice. This only highlights the importance of speed when it comes to pushing security updates to your applications. If speed is not an option, leveraging cloud-based solutions that can help protect you at the edge via a Website Application Firewall (WAF) is advised.
Using our Trunc logging platform we ran a quick query to find all the offending IPs. It's been isolated to about 118 IPs, but that will likely grow:
search "local-destination-id" |tail -n 2000 | cut -d " " -f 2 | sort -u -r
In the larger security ecosystem, there has been a growing conversation around the importance of security within the supply chain. WordPress, like many systems, has its ecosystem and supply chain. We have seen this same instance play out time and time again. The thing that makes WordPress insecure is not WordPress itself, but it's the thing that makes it so powerful - its extensibility. Plugins, themes, etc are all pieces of the WordPress supply chain ecosystem.
Over the next few years, the larger InfoSec pressures and discussions will find themselves in WordPress, other CMS, ecosystems and we will all want to start preparing ourselves for the bigger conversation of, "Security the WordPress Supply Chain".
This instance is a perfect example of a Supply Chain problem in WordPress and we commend Backup Buddy for its focus on creating a safe ecosystem by forgoing its subscription requirement to get the update:
We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 188.8.131.52), regardless of your current BackupBuddy licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.
This, however, won't be enough. Organizations will still not update, admins will still not know of the problems, and organizations will get popped because of their inability to update the plugin.
** All NOC customers were automatically protected from this Vulnerability during the Zero Day event**